Podman : What if you changed your container engine ?
Article réalisé avec Antoine Martinelli
Podman is an LXC containers engine. It means that it's a program which allow you to run and manage LCX containers. LXC stand for Linux Containers. It's basicaly a virtualization system in which you run applications in a isolated environemment. With LXC containers, you're able to create isolated Linux environnements, but sharing the same kernel. These containers are part of the Linux kernel features. One of the most important features of the kernel allowing thoses containers to exist is the existance of cgroups, which counts, limits, and isolates resources such as memory, CPU, etc.
Containers, virtual machines ?
Linux containers are not virtual machines. In fact, every container use the same kernel : the one on the host. It also uses the same shared libraries. Unlike virtual mahines, no hardware is really emulated. It enables better performance, at the cost of a less-isolated host-conainer relationship.
Podman, the tool
If we consider Podman not as a client, nor a server, and the fact that it affects directly containers, we can say it's a tool. This tool does not make system calls by itself, but rather uses Buildah and Runc for the management of containers.
A Simple Docker clone ?
Is Podman just a Docker clone ?
Poeple talking about Podman usualy say it is exactly like Docker. So much close to Docker, that a simple `alias docker=podman` would enable you to use Podman using Docker commands in a transparent way. It definitly is a good thing for developers and system administrators, who may not want to learn an entirely new tool.
This show objective of the developers of Podman is not to just make Podman a Docker clone. After all, why would you make a simple clone without any changes ? Podman is able to create "rooless" containers. It means that, unlike Docker, it can run with user privilèges instead of just root. This solves a lot of security concerns you can have if anyone found a vulnerability in one of your containerized apps. Podman is also "daemonless" as it does not use any kind of background daemon for managing containers. instead, Podman was built as a tool which delegate its job to programs like Buildah for building images, or Runc for running containers.
Podman, the ecosystem
Buildah : In Podman's "ecosystem", Buildah is the tool in charge of building images and managing them. This tool is used solely for that task and don't manage containers in any way. It as other features such as the creation of containers from a Dockerfile, or the creation of an OCland directory to put content that will be pushed to the container registry of your choice. These images can then be used by Podman, Docker, or any OCI-based container runtime tool.
RunC : Runc is the tool used to create and manage the lifecycle of containers. While it is used by Podman, it is not specific to it and can, as well as Buildah, be used as a standalone tool.
Storage : If Podman is used by the root root user, containers are stored in the /etc/containers/storage.conf file. If it's used by a non-root user, a specific space will be created for this in ./local/share/containers/. This ensures the isolation of storage spaces of each user. Of course, this is great for security reason, but can lead to duplication of images in case multiple users of a system want to use the same image.
Container security : The fact that we are able to run the container engine as a non-privileged user is a great news for security, because even if an attacker gets root access iside the container through a vulnerability, it would not be possible for him to get root access outside of the container, on the host (assuming he is even capable of excaping it). Instead, he would be limited to a regular user's rights. Furthermore, since Podman uses a fork/exec approach instead of a client/server approach, it is not possible to exploit the server (which does not even exist), and that is less attack surface.
Podman woul'nt be Podman without the concept of pods. A pod is a group of containers working in the same shared environemment. For example, two containers in a pod share, by default, the same network. Pods were first introduced by Kubernetes, which means Podman has been made with the Kubernetes integration in mind. This is clearly intended by Podman's developers and you could find this interesting especialy if you already run a Kubernetes cluster. Every pod as a container called the Infra container. this container (which uses PID 1) is for the orchestration of the linux namespace and cleaning zombie processes.
A tool which is used a lot with Docker is docker-compose. It enables you to launch multiple containers at once using a simple yaml file. While there is third party tools such as podman-compose, there is no intention from Podman's evelopers to make this official. However, Podman natively support Kubernetes yaml deployment files. With a simple command, from a running pod, you can generate the corresponding Kubernetes yaml file. This is really good for reproductibility across different environemments.
The world of containers
Docker, a leader of the past
In the world of Linux containers, Docker is in a very dominant position. Howerver, a lot of different projects come alive every day using other containers technologies. This leads to a less and less dominant position for Docker. In 2017, Docker represented 99% of containers used, but from since, this number as lowered a lot, with a market share of only 83% in 2019. As we can see the market has mostly been affected by new container technologies such as CoreOS RTK, Mesos, LXC.
And what about Podman ?
Podman is part of the LXC containers and represents less than 1% of used containers. It is, in fact, CoreOS RTK has 12% marketshare, and Mesos has 4%. Podman has only been in this market from 2017, which can explain this gap between him and its competitors.
To sum up
Docker as made a big contribution to the Linux container world. So much, that poeple usually talk about "Docker containers" and not simply "Linux containers". To face the hegemony of Docker and the security concerns about this solution, Podman is a very good alternative. Features added by Podman are especialy good for operating teams, whereas Docker seems to be mostly focused on the developer point of view in many cases. In a way, it also respects more the Unix philosophy with the use of specific, separate tools for each purpose.
Context for this article
This short presentation was written for the first year of the ENSIBS engineering school (virtualization class).